ATLANTA, Ga. — A growing legion of cyber war hawks contends that the world faces a mounting threat of hacker-driven cataclysm. These hawks warn of downed power grids, contaminated water supplies and derailed trains — at the hands of antagonistic governments or malevolent cyber gangs.
Doves, on the other hand, caution that the threat is exaggerated. They see uncertainty over the risks, and contend that cyber-hysteria is a subterfuge deployed by security firms hungry for profit, and by government officials seeking to erode privacy and accountability.
So is cyber war an existential threat, or an excuse to let big brother into our lives?
For insights, GlobalPost spoke with Lee Tien of the Electronic Frontier Foundation, a leading digital rights watchdog. Tien is a senior staff attorney specializing in cyber security, communications and surveillance.
The interview has been edited and condensed by GlobalPost.
Former Defense Secretary Leon Panetta warned that the United States faces the threat of a “cyber-Pearl Harbor.” He conjured images of toxic gas clouds, train derailments and a poisoned water supply caused by cyber attack. Is this fear mongering?
It’s hard to say. We don’t know whether or not the infrastructure is vulnerable enough for those sorts of things to happen. We do know that the administration is pretty serious about this stuff. They’ve been speaking strongly and consistently about all sorts of cyber security issues, which is a good thing.
Our problem is with, as you called it, an element of fear mongering that seems deceptive and more rhetorical than real. Since the discussion is classified and framed in a militarized context, we have no way of knowing what the real concerns are.
Are there sufficient political deterrents in place to stop states from damaging each other’s critical infrastructure? Is there a cyber war doctrine of mutually assured destruction?
There is a lot of uncertainty right now over the laws of cyber warfare. For example, what constitutes an attack that would justify retaliation, proportional or overwhelming? Do we apply the laws of armed conflict? Many countries seem to have begun applying the laws of armed conflict in this space.
We’re seeing a large amount of discourse about this issue but most of it is not public. We see signs of it, like when the president issues a classified directive concerning cyber security. We just don’t know how the chain of command works or who is making decisions. It’s certainly unclear on the US side of the issue.
Deterrence is always an issue. I don’t know if it is the same level of MAD [mutually assured destruction] but there is always a concern over, “If we do this what will they do to us?”
Would you say that the administration’s concerns over vulnerabilities in critical infrastructure networks are justified, but the method it’s using to defend them and govern the cyber realm are problematic?
It’s hard to know how justified the concern really is. There is clearly a threat but it’s difficult to evaluate that threat, making it hard to evaluate their response to the threat as well. There is a great deal that we simply don’t know and information we don’t have access to.
Another focus of cyber security and cyber warfare policy has been making the laws governing computer crime, specifically the Computer Fraud and Abuse Act, more stringent. The EFF has played an active role in cases like the one against Aaron Swartz, and many others, where the laws have been used in an overreaching way, stemming from a problem within the law itself. These laws are not written clearly enough. We have the same concerns about cyber security legislation like CISPA: the laws are being drafted vaguely, presenting unnecessary risks to private citizens.
There is extensive evidence of widespread cyber espionage. What keeps countries like North Korea and Iran from launching cyber attacks against their enemies’ critical infrastructure using the information they’ve seized through cyber espionage?
First, there is a big difference between cyber espionage and cyber warfare. Cyber security doesn’t prejudge things as acts of war. When you conflate cyber espionage and cyber warfare, you’re mixing two fairly different things. Traditional espionage is also widespread but countries that spy on each other are not necessarily in a state of war.
Strong evidence for the existence of cyber espionage does not necessarily translate into evidence for violent attacks or imminent cyber warfare. This logic needs to be established.
Are your concerns over the classified nature of cyber security policy based mainly on privacy concerns or are there other issues as well?
Part of it is that we should be more informed about what our military is doing when it’s employing offensive tactics, or when it’s involved in surveillance of domestic networks. Those are obvious and general concerns about privacy and transparency in a democratic society.
There are also plain old security issues. Are we missing opportunities to address garden variety security problems important to individuals because they’re being swept into the context of national security?
Some activists argue that there is a more sinister, ulterior motive in stoking cyber war fears. The New Republic reported that endorsements for cyber security legislation have been made by experts thought to be independent but have financial relationships with security software firms. Is there financial collusion between lawmakers and the information security industry, or is that paranoia on the part of activists?
Oh I think it’s definitely going on. That’s not paranoia. That’s the way the political world works. All sorts of initiatives, in some ways, have winners and losers. The security industry in general has experienced a boom since 9/11 and no one would be surprised to hear that companies active in the security industry are also active in getting government grants for security research. It’s a given, always follow the money.
A lot of these businesses stand to profit from cyber security legislation. If they understand their own economic interests then they will be lobbying for things like CISPA.
So, notions of cyber attacks causing massive toxic gas clouds, widespread blackouts and public panic — are we hearing this because the scenario is financially beneficial to the military industrial complex, or due to actual concerns based on evidence?
It’s really hard for me to say. There is a lot of evidence for weaknesses in critical infrastructure. But as far as a big picture analysis where someone has actually done a methodologically sound risk analysis, I don’t think that’s been conducted in a way that we the public are able to clearly understand the issues.